What just happened? Comcast has patched two previously unreported vulnerabilities in its online customer portal that exposed the partial home address and Social Security numbers of more than 26.5 million customers. Fortunately for Comcast, the flaws were reported before they could be exploited by nefarious parties.
Security researcher Ryan Stevenson discovered the flaws according to BuzzFeed News.
One flaw was exploitable by visiting Comcast’s “in-home authentication” page in which customers can pay their bills without signing in. The portal asked customers to verify their account by selecting one of four partial home addresses from a list if it appeared as though the user was connected to the customer’s home network.
Obtaining and spoofing an IP address is relatively easy and by refreshing the login page, three of the recommended partial addresses would change while the fourth (and correct) address would stay the same. With a partial address and a bit more detective work, it would be possible to determine the city, state and postal code of the partial address.
Comcast has since disabled in-home authentication and requires customers to manually input personal information to verify their account when paying a bill.
The other vulnerability involved a sign-up page on Comcast’s website for authorized dealers. With just a customer’s billing address, it was possible for a hacker to brute-force the last four digits of a customer’s Social Security number. Comcast’s portal didn’t restrict the number of attempts possible meaning a user could keep plugging in digits until the correct combination was found.
After being tipped off about the vulnerability, Comcast added a rate limit to the portal.
Comcast spokesperson David McGuire told BuzzFeed News that they quickly investigated the issues and blocked both vulnerabilities within hours, eliminating the ability to exploit them. McGuire added that Comcast has no reason to believe the vulnerabilities were ever used against customers outside of the research described in the report.
Screenshots courtesy BuzzFeed News